
Nobody wants to install software that doesn't have a track record. This attack is exceptional, so it justifies an exceptional response. But the fact that I make that judgement doesn't mean that every ISP agrees.


Paul Mockapetris, chief scientist, Nominum

While the attack witnessed by BreakingPoint Systems appears to be the only DNS cache that has been confirmed poisoned, the telltale signs of attacks have been witnessed by many other network administrators.

One submitter to the mailing list for GMAME, an open-source content management system for newsgroups, showed a snippet of a log file that appeared to indicate that an attacker had tried to poison his server's entries for eBay, Microsoft, Google, Facebook and other popular online destinations.

Data collected by security firm Arbor Networks showed a massive increase in domain-name lookups since the July 8 DNS-flaw announcement. The data, however, is less a shadow of attacks on the infrastructure and more a measure of the worry of security-conscious users checking the patch level of their name severs, said Danny MacPhearson, CSO of Arbor Networks.

"I can't verify that any of the traffic was malicious," MacPhearson said. "The traffic we were seeing could have all been customers verifying that their server was patched or not."

Many security experts and bloggers have criticized major Internet service providers for moving too slow to fix the problem. Neal Krawetz, principal researcher for Hacker Factor Solutions, scanned DNS servers for the degree of randomness in their lookup requests -- an indication of the level of vulnerability of the servers -- and found major providers susceptible to attack. Among the 28 servers that appeared to be vulnerable on July 21 were those operated by Level3, Verizon, and Adelphia.

"Some of the ISPs have handled (patching) very well; others have surprised me with how poorly they have handled it," he said.

Yet, not everyone believes that Internet service providers' plodding pace is an indication that the companies are taking the DNS issue lightly. After all, the ISPs are adding a new software component to their networks, an act that should require some consideration, Paul Mockapetris, chief scientist for Internet infrastructure provider Nominum, said in an e-mail interview with SecurityFocus.

"Nobody wants to install software that doesn't have a track record," Mockapetris said. "This attack is exceptional, so it justifies an exceptional response. But the fact that I make that judgement doesn't mean that every ISP agrees."

Being leery of patches is just smart business, he said. This week, for example, Cisco released version 2.0 of its advisory on the DNS patch warning of issues that can affect customers that rely on its products' port-address translation (PAT).

"Telecom history is loaded with updates that brought down networks," Mockapetris said. "It's a judgement call that's hard to make and can have huge consequences."

Meanwhile, AT&T and other Internet service providers continue to patch.